Comment by selmnoo
12 years ago
What an unbelievably stupid line of thinking.
Kidnapped their children? Get a hold of yourself here. Google is a tech company, it is a perfectly reasonable expectation that they get the big parts of their security model right. Not encrypting data going through leased (or even their own) fibers? Big, big mistake. NSA and US government aside, Google dropped the ball big-time here.
> Why do I sometimes get the feeling that people specifically want to hate on these companies when the real outrage should be for the government spooks.
Funny you say that. Because I was pretty much a Google fanboy before all of this happened (oh, and their recent changes wrt privacy policies). I am very angry at the government, but that is a separate issue.
Security is based on threat model. The spooks have capabilities that far exceed the threat models most companies assume from private blackhats. You think it is obvious to assume in hindsight that the government would dig up and tap your dark fiber, but you don't think it obvious the government would plant spies to do in-side-the-data-center taps. Now what? Encrypt all data between switches? The Soviets didn't think their undersea cables could be tapped either, and no one can claim they were insufficiently paranoid.
My point is, I don't want Silicon Valley in an arms race with the US government. The government is supposed to protect its citizens and companies, not work to undermine them. Google is working on rolling out better security, just like they eventually rolled out SSL everywhere before most other companies. They are at the forefront on this, but it still takes time and costs money. But even though they are spending time and resources on this, I would still like the US government to cut it out.
I'm not getting through to you.
At the end of the day, Google lost. To a considerable extent, cloud lost. People who were trusting Google with their data lost. What is ostensibly true at this point at is that Google could have done something to have prevented this. All else is immaterial. Just like I would expect to lose business if I made a mistake and had data compromised (because doing X and Y was too difficult or too costly for me to do, because it was 'outside' my control, because I was too inept, or whatever else), Google should expect to lose some business the same way. If security is based on a threat model -- and it eventually loses, it was bad security.
Well, it would help if you would write in a way that is not insulting and condescending.
There's no "if" about it. All security is based on threat model, the lock on your front door is based on the threat of the average criminal, and not Watergate burglars. Are you guilty of bad security? Is it your fault if your front door lock gets picked because you made assumptions about the sophistication of your attacker?
You originally said "I'll never trust them again", but that beg's the question, just who will you trust? Unless you are using end-to-end encryption with everyone, there is no way to secure against NSA interception, and pretty much all of Google's cloud competitors are actually worse in terms of deployed security. And assuming end-to-end is secure is basically just assuming a threat model where the NSA or Chinese government can't plant infected firmware or hardware in your devices.
2 replies →
You mean like the things that Google has done, as soon as the threat vector seemed credible?
http://www.informationweek.com/security/government/nsa-fallo...
what if that government who could tap into fiber was not US government? I think any communication outside the confines of corporate buildings should be encrypted.
> What an unbelievably stupid line of thinking.
Sentences like that have no place on HN.
> Kidnapped their children? Get a hold of yourself here.
It's supposed to be an extreme example. He's trying to probe your boundaries -- if you'd forgive them in the kidnapping example, he could then name a somewhat less extreme example, like if the CIA had broken into a Googler's home to plant a recording device.
But, since you totally dodged the question, the opportunity was missed.
Why would have they treated their own fibers untrustworthy?
As has been pointed out, Google owns a lot of fiber. When you have stuff that spans thousands of miles, there's a very real possibility that a bad actor can try to tap into it.
Apparently even tapping undersea cables is not as challenging as some think, according to Kapela: http://motherboard.vice.com/blog/undersea-cable-surveillance...